I have been looking for a solution, preferably native, to monitor changes to firewall rules across multiple Azure SQL databases hosted on different Azure SQL servers. While Azure Policy seemed to fit the bill initially, it later turned out to be okayish, that too only for Azure SQL servers. Today, I came across Purview, showcased as a data governance solution. I managed to set up a Purview account and hooked up a database to be scanned. The scan rules didn’t offer much customizability and it wasn’t clear to me what it actually scans – does it just look for stray IP addresses across the database? I could not decipher much from the results for my use case either.
Is there any way to achieve my objective using Purview? I am also open to other suggestions to achieve it.
2
Answers
Azure Functions coupled with logic apps turned out to be a good solution for this. The logic app which gets triggered based on an activity log alert in turn activates an Azure Function which uses a PowerShell script to maintain only the approved set of firewall rules on an SQL Server. Yes, this does not go inside the databases and check for firewall rules defined there, but for my purpose, this turned out to be sufficient.
I got the above inputs from this source.
Purview is not the right tool for this. Your best bet is using Azure Monitor to create an alert when rules are created, updated or deleted. When creating a new alert choose the following signal(s):